A new Distributed Denial of Service (DDoS) campaign, dubbed Panamorfi, has recently been discovered, exploiting misconfigured Jupyter notebooks and Discord to launch its attacks. The campaign is operated by the threat actor known as yawixooo, who targets internet-facing Jupyter notebooks exposed online. By exploiting these notebooks, attackers deploy a Minecraft server DDoS tool through a Discord channel, intending to overwhelm and disrupt the target servers. This method poses a significant threat to data practitioners, including data engineers, analysts, and scientists, who frequently use Jupyter notebooks for their work.
The attack begins when yawixooo gains access to a vulnerable Jupyter notebook and executes a command to download a zip file from a file-sharing platform. The zip file, containing two Jar files—conn.jar and mineping.jar—facilitates the DDoS attack. The conn.jar file, which is used to control the attack, connects the victim’s machine to a specified Discord channel, while mineping.jar is a known Minecraft server DDoS tool available on GitHub. This tool is equipped to launch a TCP flood attack, aimed at consuming the resources of the target server and causing disruptions.
Researchers from Aqua Nautilus reported that the Panamorfi attack was observed using an exposed honeypot Jupyter notebook. The attackers’ use of a publicly available Minecraft server DDoS tool demonstrates the innovative and varied methods employed in modern cyberattacks. The deployment of such tools through platforms like Discord highlights the evolving tactics used by threat actors to maximize their attack potential.
To defend against such campaigns, it is crucial for organizations to implement robust security practices. This includes restricting access to Jupyter notebooks, blocking the execution of malicious files like conn.jar and mineping.jar, and regularly updating systems with the latest security patches. Security researchers advise against sharing sensitive information or credentials on Jupyter notebooks to mitigate the risk of such targeted attacks.
Reference: